Are Medical Devices the Next Ransomware Target?

Are Medical Devices the Next Ransomware Target?

Hacker News’ top story today was on vulnerabilities found in implantable pacemakers. It’s a troubling thought, particularly in conjunction with the recent (and preventable) ransomware attacks. What would you pay to unlock your pacemaker?

Is it a real risk?  Fans of Showtime’s Homeland would tell you it is, and Dick Cheney would agree. Researcher Barnaby Jack was scheduled to demonstrate a remote hack on pacemakers at Black Hat 2013, but tragically passed away days before the event.

So what’s different this time? A much more straightforward approach, for one thing. Security researchers Billy Rios[1] and Jonathan Butts acquired pacemakers and supporting hardware and software for four different brands, and looked for weaknesses in architecture and execution. One of the biggest issues they found was one we see time and again — unpatched software libraries. 

Security Changes with Time

We need to remember that secure software is an ephemeral concept. What we think of as secure today can change overnight as new vulnerabilities are discovered and disclosed. As code ages, more vulnerabilities are likely to be disclosed. 

Black Duck’s 2017 Open Source Security and Risk Analysis (OSSRA) research found that the average commercial application included almost 150 discrete open source components, and that 67% of the applications included vulnerable open source components. Here is how that stacks up to Rios and Butts’ research.

Third party components, vulnerable 3rd party components and identified known vulnerabilities

Use of Open Source

All four pacemakers used open source extensively, with over 86 unique components on average. Likewise, Black Duck found open source in 96% of the applications it reviewed across all industries, but with a far higher count of unique components — 147 unique components on average. This discrepancy could be due to missed components or dependencies. It can be difficult to find all of them manually. 

Vulnerable Applications

All four pacemakers examined contained open source components with vulnerabilities, and roughly 50% of all components included vulnerabilities. Most shockingly, the pacemakers had an average of 50 vulnerabilities per vulnerable component and over 2,000 vulnerabilities per vendor. This is far higher than what Black Duck found in its review of over 1,000 commercial applications, where the average vulnerable applications included fewer than 30 vulnerabilities.


Webinar: Healthcare and Open Source – Balancing Innovation Against Risk

What Accounts for the Difference? 

It could be a number of things. The researchers (wisely) did not disclose which pacemakers they acquired, but since they were purchased from auction sites, we can assume they were not newer models. As previously stated, older code is likely to have had more vulnerabilities disclosed. 

Second, it’s not clear if the researchers checked for software/firmware updates from the vendors prior to analysis. Since these were not products under support agreements, my assumption is that they did not.

This may not matter, however. Our research shows that vendors are typically unaware of all of the open source they use, since it can enter the code base in so many ways. On average, prior to using Black Duck our customers are aware of less than half of the 3rd party libraries they use.

What Should Manufacturers of Medical Devices Do?

It’s important to remember that the problem here isn’t the use of open source. It’s the fact that open source is often invisible to the organizations. Developers understand the functional requirements for the software, and pull in open source to help meet those requirements. This lowers development costs and accelerates time to market.

Unless organizations carefully track the open source they use, and map those to the thousands of vulnerabilities disclosed in open source every year (though still less than those reported in commercial code) they are unable to protect their applications — and their customers — from vulnerabilities.

These vulnerabilities may open up users to targeted or non-targeted attacks. Depending on the software (home monitoring, physician, programmer, etc.) the attack could affect a single patient or an entire practice. The potential for monetary gain is very real; the healthcare provider in an attack may have to choose between a ransom and the welfare of its patients.

If the attack is on implantable medical devices, this can become a life or death decision.


[1] Alert readers will recognize Rios from his previous work identifying vulnerabilities in the Hospira drug infusion pump (the FDA was not amused). 

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Now It’s Personal – 4 Takeaways From the Equifax Breach

| Sep 18, 2017

If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax – one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. Wait – For Once It Could Affect Me? For a lot of breaches, the

| MORE >

Critical Vulnerability CVE-2017-5638 Attacks Escalating

| Sep 14, 2017

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it

| MORE >

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

| Sep 7, 2017

"This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises." Oege de Moor, CEO and founder of Semmle. Dozens of Fortune 100 companies are at risk after security researchers at discovered a

| MORE >